The good folks over at the Identity Theft Resource Center recently posted a very gracious thank-you to me and this site for helping track data breaches. I suspect that they’ll be pulling their hair out this weekend, though. đ
In addition to the 100 previously unreported breaches from 2009 that I posted here today, here are another 95 breach reports that were received by NYS between January 1, 2010 and April 12, 2010 and that we didn’t already know about. The following are organized by sectors. As always, if you spot any errors or corrections, please let me know by using the Comments section on this site.
Of particular note in this batch, it appears that the Tropical Supermarket chain was hacked.  Since these reports were first received April 12, there may be more to come.
Healthcare Sector: 6 reports:
- Health Net – Inadvertent disclosure – 18
- Harlem Hospital – Unauthorized access – 1,034
- Brookhaven Memorial Hospital Medical Center – Stolen computer – 38
- Blue Cross Blue Shield of Western NY – Inadvertent disclosure – 1
- Blue Cross Blue Shield of Western NY – Inadvertent disclosure – 1
- Blue Cross Blue Shield of Western NY – Inadvertent disclosure- 20
Financial Sector: 27 reports
- Oppenheimer Funds – Inadvertent disclosure – 2
- Oppenheimer Funds – Â Inadvertent disclosure – 1
- Oppenheimer Funds – Inadvertent disclosure – 1
- HSBC – Fraudulent access – 1
- USAA Federal Savings Bank – Vendor incident – 1
- Experian – Unauthorized access – 3
- Chemung Canal Trust Company – Unauthorized access – 1
- Sovereign Bank – Unauthorized access – 3
- JP Morgan Chase Bank NA – Insider wrongdoing – 46
- Primerica – Stolen computer – 3
- ING Funds – Inadvertent disclosure – 11
- Ameriprise Financial, Inc. – Insider wrongdoing – 1
- Ameriprise Financial, Inc. – Lost computer – 1
- Equifax Inc. – Hacking – 4
- Equifax – Inadvertent disclosure – 35
- Equifax Information Services LLC – Hacking – 1
- Goldman Sachs & Co. – Insider wrongdoing – 1
- Riggs Capital Management LLC – Hacking – 1
- Raymond James FInancial – Inadvertent disclosure – 1
- Morgan Stanley Smith Barney – Hacking – 11
- Morgan Stanley Smith Barney– Â Lost computer – 14
- Nationwide Bank – Inadvertent disclosure- Â 62
- Chase Bank USA, N.A. – Unauthorized access – 187
- Fidelity Investments – Inadvertent disclosure – 18
- Agway Liquidating Trust – Inadvertent disclosure – 4,400
- BNY Mellon Shareowner Services – Â Inadvertent disclosure – 2
- The Vanguard Group, Inc. – Â Inadvertent disclosure – 1
Business Sector:Â 47 reports:
- STJ Orthotic Services – Stolen computer – 12
- T-Mobile – Insider wrongdoing – 1
- Paraco Gas Corporation – Stolen computer – 241
- General Motors Company – Inadvertent disclosure – 64
- State Farm Automobile Insurance Company – Insider wrongdoing – 1
- State Farm Automobile Insurance Company – Insider wrongdoing – 10
- Ann Taylor Stores Corp – Insider wrongdoing – 1
- Eisner LLP – Stolen computer – 40
- The Clay Store – Hacking – 1
- Tropical Supermarket #4 – Hacking – 1
- Tropical Supermarket #11/#15 – Hacking – 2
- Tropical Supermarket #13 – Hacking – 7
- Tropical Supermarket #14 – Hacking – 3
- MAF Background Screening – Stolen computer – Â 15
- At Once Wedding and Party Supplies – Hacking – 23
- Wedge Corporation – Hacking – 1
- Pro-Assurant Mid-Continent Underwriters – Hacking  – 1
- Point Artworks – Stolen computer – Â 1
- Building Media, Inc. – Hacking – 81
- Amgen Inc. – Inadvertent disclosure – 4
- News America Incorporated – Inadvertent disclosure – 9
- Ahold USA – Lost DVDs – 329
- Gap, Inc. – Insider  wrongdoing – 18
- iHomeaudio.com – Hacking – 70
- SDI Technologies – Hacking – 876
- ING Life Insurance – Inadvertent disclosure – 4
- SportDOG – Hacking – 15
- Fox Television Animation – Stolen computer – 48
- Metropolitan Life Insurance Co. – Insider wrongdoing – 21
- Currier Plastics – Hacking – 110
- NBC/Universal – Stolen computer – 22
- Ann Moore’s – Hacking – 11
- Fleet Filter – Hacking – 2
- Beecher Carlson Insurance Services – Stolen computer – 2,824
- Shufelt Inc dba Fantastic Sams – Hacking – 600
- ValueVision Media d/b/a ShopNBC – Insider wrongdoing – 5
- Value Vision Media d/b/a ShopNBC – Insider wrongdoing – 4
- J. Crew Group – Â Insider wrongdoing – 1
- Beer & Hobby – Hacking – 42
- City Bar Solas – Hacking – 1
- Cobblestone Restaurant – Hacking – 1
- Ned Devine’s Paris – Hacking – 12
- The Green Briar – Hacking – 1
- The Harp – Hacking – 1
- Trump International Beach Resort – Hacking – 28
- MJ O’Connors – Hacking – 10
Between this latest reveal, HHS and the MD AG’s office reporting information late, all data pertaining to information discovered in print in 2010 will be completely skewed. I seriously doubt that any number of breaches reported are in any manner the total number of breaches. The only true data will be paper vs electronic, type of theft and the category of the entity. And look at the number of “records/individuals” reported. A hacking that only took information of one person – be serious! This is only those in NY and not in other states that are still not reporting. If this latest revelation about notification to states hasn’t made you angry, then you just don’t get it. How many breaches are being hidden from the public? How many decide not to report because they don’t think there is risk of harm? Shouldn’t someone with authority decide risk of harm.
I agree with much of what you say, of course.
I don’t even know that paper vs. electronic will be valid, Golde, because some states don’t require notification to state if the breach involves paper records. And HHS isn’t telling us whether there are any financial or SSN records involved in the breaches that are posted to their OCR site — all we know there is that somehow “unsecured PHI” is involved.
If I had my druthers, all breaches involving PII and/or PHI would be reported to states and all states would upload the breach reports they receive. Of course, we’d need a federal law and a federal definition of PII. Imagine how the lobbyists would be scrambling like mad if a serious bill to do that were introduced that didn’t contain a gadzillion loopholes….